Enabling PAM authentication

When your Linux® management hosts use either Microsoft Active Directory (AD) or MIT Kerberos as the KDC, enable PAM authentication so that users can log on with their PAM user name and password.

Before you begin

The PAM environment must be set up properly on all your management hosts. To take advantage of user management, the getent passwd and getent group commands must list users and user groups that are to be loaded to the cluster without a domain name included in the user name or group name.

About this task

To enable PAM authentication in the cluster, you must configure the ENABLE_PAM_AUTH and PAM_SERVICE parameters in the sec_ego_gsskrb.conf file on all management hosts. To enable user logons with the PAM user name and password from Linux compute or client hosts, enable the ENABLE_PAM_AUTH parameter in the sec_ego_gsskrb.conf on the host.

With PAM authentication enabled, a PAM credential cache (instead of a Kerberos credential cache) is generated at the location set by the EGOCC_FILE environment variable. After a user logs on with the PAM user name and password, an EGO credential for PAM is generated; this credential is also used for subsequent logons. If the authentication client (for example, the egosh user logon or the soamlogon command) needs the EGO credential to be saved to a credential cache, it is saved to the cache set by EGOCC_FILE, if it exists. Otherwise, it is saved to the default credential cache (/tmp/secegocc_uid).

A single authentication client might have two credential caches: a Kerberos credential cache and an EGO credential cache. The Kerberos credential cache is used before the EGO credential cache; in other words, Kerberos authentication is used as long as the Kerberos credential cache exists. Credentials are used in the following order of precedence: KRB5CCNAME > /tmp/krb5cc_uid > EGOCC_FILE > /tmp/secegocc_uid.

If the selected credential is not valid, authentication fails and does not progress to the next credential even if it exists.

Note: Be mindful of performance considerations when using PAM authentication in your cluster: ensure that the PAM policy used (configured by the PAM_SERVICE parameter), will return authentication results without delay. When the PAM policy is time-consuming, it significantly impacts the authentication server's performance, especially for VEMKD processes. An example is the pam_krb5 module, which will fork multiple children during authentication. For a VEMKD process with a lot of memory, the forking operation is more time-consuming and can affect performance.

Procedure

  1. Enable PAM authentication in the cluster by configuring the ENABLE_PAM_AUTH and PAM_SERVICE parameters in the sec_ego_gsskrb.conf file on each management host:
    • ENABLE_PAM_AUTH: Enable PAM authentication for user logons when a user name and password are provided. Valid values are Y to enable PAM authentication or N to disable PAM authentication. Default is N. For example:
      ENABLE_PAM_AUTH=Y
    • PAM_SERVICE (required when ENABLE_PAM_AUTH=Y): Specify the PAM policy file, located in the /etc/pam.d/ directory. For example:
      PAM_SERVICE=sshd
  2. Enable user logons with the PAM user name and password from Linux compute or client hosts by enabling the ENABLE_PAM_AUTH parameter in the sec_ego_gsskrb.conf on each compute or client host. For example:
    ENABLE_PAM_AUTH=Y

What to do next

For a sample scenario, see Using additional configuration for a Linux cluster (MIT Kerberos as KDC).